Pair a Device to the Keychain
  • 11 May 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

Pair a Device to the Keychain

  • Dark
    Light
  • PDF

Article summary

When plugging in for the first time a device (YubiKey, etc.) that has been already initialized, the user will be asked to associate the token to the account currently logged on.

Prerequisites

  • The smart card device must already be personalized with a certificate for PIV authentication. See Add an Identity Device for procedures.
  • Ensure smart card pairing is enabled on your machine.

To Pair a Device Using SmartCard Pairing

  1. Insert the smart card device in the card reader or USB port.
  2. Select the card identity to use and click Pair.
  3. Enter your password and click Pair.
  4. Enter your PIN and click OK.
  5. Re-enter your password and click OK.
    You can now use your device to open and unlock both your session and your keychain. Any system prompt to authenticate will now ask for the card PIN.

To Pair a Device Using the Command Line

  1. Open Terminal.
  2. Run the sudo sc_auth identities command to list all certificates available for authentication on the smart card device (YubiKey).
    SmartCard: com.apple.pivtoken:BA2A35B49A275645BD5D60593E7E7C89
    Unpaired identities:
    B912C8D7CB081E17B457BE7F4283E476D0174877 Certificate For Digital Signature
    (FirstName LastName)
    883B74CF2E6512B5F2FAEE6D92D3F56B9DCFB294 Certificate For PIV Authentication
    (FirstName LastName)
  3. Highlight and copy the hash listed for the certificate you want to use.
  4. Run the sudo sc_auth pair -u <user> -h <hash> command, where <user> is the current user logged in to the Mac (which may or may not be different from the user listed in the certificate details above), and <hash> is the hash corresponding to the certificate to map.
    NOTE
    If working with the currently-logged on user, use $(whoami) for the username. You do not need elevated privileges (sudo).
    Example command: sudo sc_auth pair -u $(whoami) -h 883B74CF2E6512B5F2FAEE6D92D3F56B9DCFB294
  5. When the Enter PIN dialog box displays, enter your device PIN.
  6. Click OK.
    You can now use your device to open and unlock both your session and your keychain. Any system prompt to authenticate will now ask for the card PIN.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.